From: Stephen Smalley Date: Fri, 4 Oct 2024 17:27:10 +0000 (-0400) Subject: selinux: Deprecate /sys/fs/selinux/user X-Git-Tag: v6.13-rc1~208^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7b6918e22c74f2b354d8dc0ef31ab17ae334b93;p=thirdparty%2Fkernel%2Flinux.git selinux: Deprecate /sys/fs/selinux/user The only known user of this interface was libselinux and its internal usage of this interface for get_ordered_context_list(3) was removed in Feb 2020, with a deprecation warning added to security_compute_user(3) at the same time. Add a deprecation warning to the kernel and schedule it for final removal in 2025. Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore --- diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/obsolete/sysfs-selinux-user new file mode 100644 index 0000000000000..8ab7557f283fe --- /dev/null +++ b/Documentation/ABI/obsolete/sysfs-selinux-user @@ -0,0 +1,12 @@ +What: /sys/fs/selinux/user +Date: April 2005 (predates git) +KernelVersion: 2.6.12-rc2 (predates git) +Contact: selinux@vger.kernel.org +Description: + + The selinuxfs "user" node allows userspace to request a list + of security contexts that can be reached for a given SELinux + user from a given starting context. This was used by libselinux + when various login-style programs requested contexts for + users, but libselinux stopped using it in 2020. + Kernel support will be removed no sooner than Dec 2025. diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index e172f182b65cc..234f4789b7874 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) int rc; u32 i, len, nsids; + pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" + " This will not be supported in the future; please update your" + " userspace.\n", current->comm, current->pid); + length = avc_has_perm(current_sid(), SECINITSID_SECURITY, SECCLASS_SECURITY, SECURITY__COMPUTE_USER, NULL);